The creation of "lfs" user and its possible security issues
Robert Connolly
robert at linuxfromscratch.org
Wed Mar 5 18:24:52 MST 2008
On Monday March 3 2008 07:47:16 am mundoalem wrote:
> Hello everyone!
>
> As I was reading for the first time the Linux From Scratch
> books version 6.3 this weekend, I noticed that section:
>
> "4.3. Adding the LFS User"
> http://www.linuxfromscratch.org/lfs/view/stable/chapter04/addinguser.html
>
> is lacking of notes on security issues about the creation
> of the "lfs" user and "lfs" group. I know the book just can't
> cover every aspect of security problems and errors it might
> occur if you do the things the book tells you to do.
> The sysadm should know what he is typing.
A weak password on the lfs account could lead to both local and remote
unauthorized use, which in turn could lead to a trojan-horsed coreutils
patch, which leads to a privilege escalation from /tools when root runs the
coreutils test suite, and then a root backdoor.
It could happen.
robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://linuxfromscratch.org/pipermail/lfs-dev/attachments/20080305/77cc866f/attachment.bin
More information about the lfs-dev
mailing list